The global spread of COVID-19 has generated countless privacy, data protection, security, and compliance questions for companies working hard to provide care in our new reality of “socially distant” interactions. For all organizations that depend on direct customer engagement, adopting new technologies to enable and support remote audio and video communications is the only path toward remaining in business. Healthcare providers are particularly affected by this paradigm shift. Many smaller providers that only offered in-person services have been forced to quickly adopt new technologies and platforms as a means to offer care to patients. Protecting the security and privacy of patient health-related information is challenging at the best of times, and it is now made even more difficult during the current crisis.

The Health Insurance Portability and Accountability Act (HIPAA) requires all entities with access to Electronic Protected Health Information (ePHI) to protect the security and privacy of that information. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued waivers and notices of enforcement discretion for several issues related to HIPAA compliance during the pandemic. The following paragraph summarizes the key actions that OCR has taken to modify HIPAA in response to the COVID-19 pandemic:

“OCR’s enforcement discretion for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule. The waiver allows covered providers to potentially use any non-public facing remote, audio, or video communication platforms available to provide telehealth and communicate with patients during the pandemic. OCR will not penalize those providers for using potentially non-HIPAA-compliant tools, regardless of whether or not the service is used to diagnose or treat COVID-19-related conditions.”

Learn more about how to get started with HIPPA Compliance with Posture

1. Employees should be trained on potential security risks and the secure use of remote tools.
2. For employees working remotely, Virtual Private Network (VPN) connections should be made mandatory.
3. Employers must provide guidelines and policies on restricting the use of private devices and supplying adequate password protection.
4. Employee security awareness training should be promoted by educating employees about the rising level of coronavirus-related cyberthreats, including potential responses and incident handling.
5. IT departments must be provided with the resources needed to support employees working securely from home by expanding their network and videoconferencing capacity with vendor-supplied services.

Ensuring data privacy as we battle COVID-19

COVID-19’s impact on data privacy, protection and security

Can We Track COVID-19 and Protect Privacy at the Same Time?

COVID-19: Data protection lessons from Google’s contact-tracing API

The Value of RDA for COVID-19

COVID-19 Changes HIPAA Compliance, But Caution Necessary

OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion

Key HIPAA Changes in Light of COVID-19

Insights into HHS COVID-19 HIPAA Waivers and Lasting Implications

How can European companies best prevent measures intended to control the COVID-19 pandemic from also undermining data privacy and security?

Data security tips to help weather a pandemic

HIPAA, Hackers & Secure Telehealth: 5 Simple Tips to Secure Your Environment